Introduction to AAA Server
RADIUS Overview
Chapter 12
RADIUS Overview
The Remote Authentication Dial In User Service (RADIUS) protocol is
widely used and implemented to manage access to network services. It
defines a standard for information exchange between a Network Access
Server (NAS) and an authentication, authorization, and accounting
(AAA) server for performing authentication, authorization, and
accounting operations. A RADIUS AAA server can manage user profiles
for authentication (verifying user name and password), configuration
information that specifies the type of service to deliver, and policies to
enforce that may restrict user access.
RADIUS Topology
The RADIUS protocol follows client-server architecture. The client sends
user information to the RADIUS AAA server (in an Access-Request
message) and after receiving a reply from the server acts according to the
returned information. The RADIUS AAA server receives user requests
for access from the client, attempts to authenticate the user, and returns
the configuration information and polices to the client. The RADIUS
AAA server may be configured to authenticate an Access-Request locally
or to act as a proxy client and forward a request to another AAA server.
After forwarding a request, it handles the message exchanges between
the NAS and the remote server. A single server can be configured to
handle some requests locally and to forward proxy requests to remote
servers.
In Figure 1-1 on page 3 an example ISP uses four AAA servers to handle
user requests. Each user organization represents a logical grouping of
users (defined as a realm). Each user organization dials in to one of the
ISP’s servers through an assigned NAS, some of which are shared by the
same groups or realm. To provide appropriate service to a customer, the
server accesses user and policy information from a repository, which may
be integrated with the server, may be an external application, or a
database that interfaces with the server. For the HP-UX AAA RADIUS
and policy server the repository information may be stored in flat text
files or in an external database, such as an Oracle® database or LDAP
directory server.
